Skip to main content

GnuTLS TLS Multiple Vulnerabilities

Last Update Date: 22 Mar 2012 10:36 Release Date: 22 Mar 2012 5276 Views

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

Multiple vulnerabilities have been identified in GnuTLS, which can be exploited by malicious people to potentially compromise an application using the library.

  1. A vulnerability in GnuTLS libtasn1 Tiny ASN.1 library is caused due to certain functions (e.g. "asn1_der_decoding()") not properly checking ASN1 length result from the "asn1_get_length_der()" function. This can be exploited to cause the library to use a large length value and corrupt memory via e.g. a specially crafted X.509 client certificate.
  2. An error within the block cipher decryption logic when handling TLS records can be exploited to corrupt memory via a specially crafted "GenericBlockCipher" structure.
  3. Some errors in the libtasn1 library can be exploited to corrupt memory.

Impact

  • Remote Code Execution

System / Technologies affected

  • GnuTLS versions prior to 2.12.18
  • GnuTLS versions prior to 3.0.16

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 2.12.18 or 3.0.16.

Vulnerability Identifier


Source


Related Link